Hi Matt! On Fri, Oct 06, 2017 at 03:43:38PM -0700, Matt Taggart wrote: > On 10/06/2017 02:28 PM, Salvatore Bonaccorso wrote: > > Control: notfixed -1 1.2.8p26-1 > > > > Hi! > > > > On Fri, Oct 06, 2017 at 09:09:03PM +0000, Debian Bug Tracking System wrote: > > > This is an automatic notification regarding your Bug report > > > which was filed against the src:check-mk package: > > > > > > #865497: check-mk: CVE-2017-9781: reflected XSS in webapi.py > > > > I looked up the source for 1.2.8p26-1. > > > > The fix for CVE-2017-9781 is > > > > http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1 > > > > which does not yet seem to be applied to 1.2.8p26-1? > > > > Can you please double-check? > > > > > > Note, there is a second CVE now for check-mk, that one got addressed > > in 1.2.8p26, but it's not clear yet in which version in was > > introduced. > Hi, > > You are right, the fix for CVE-2017-9781, which upstream calls "werk #4757" > is _not_ in 1.2.8p26. I was confused with upstream #5208 when I wrote the > changelog that closed the bug.
Thanks for confirming! > Upstream lists the following security related fixes for 1.2.8 > ============================================================== > #5208 > http://mathias-kettner.com/check_mk_werks.php?werk_id=5208&HTML=yes > http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=673360408b90f99bd54cf936091cff08d979a057 > > #4902 > http://mathias-kettner.com/check_mk_werks.php?werk_id=4902&HTML=yes > http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=96e39a0f024d9b2b521576c1eb71aca7fb3e818d > > #7661 (fixed in 1.4.0p8, supposedly fixed in 1.2.8p25?) > http://mathias-kettner.com/check_mk_werks.php?werk_id=7661&HTML=yes > > #7631 > http://mathias-kettner.com/check_mk_werks.php?werk_id=7631&HTML=yes > > #3970 (fixed in 1.2.8p14) > http://mathias-kettner.com/check_mk_werks.php?werk_id=3970&HTML=yes > > #3855 (fixed in 1.2.8p11) > http://mathias-kettner.com/check_mk_werks.php?werk_id=3855&HTML=yes > > #3743 (fixed in 1.2.8p10) > http://mathias-kettner.com/check_mk_werks.php?werk_id=3743&HTML=yes > > Full list of changes for 1.2.8p26 > ================================= > http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8&version=1.2.8p26&HTML=yes > > Full list of changes for 1.4.0p14 > ================================= > http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.4.0&version=1.4.0p14&HTML=yes > > which additionally lists > > #4757 (as you mentioned above, fixed in 1.4.0p6) > http://mathias-kettner.com/check_mk_werks.php?werk_id=4757&HTML=yes > http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=14a5b79c6f549502244a60146ed6831dc3473f2a > > #7643 (only in 1.4 and newer) > http://mathias-kettner.com/check_mk_werks.php?werk_id=7643&HTML=yes > > So I think the Debian 1.2.8p16 package is only missing #4757. Ok. Do you know something about https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yes . I twas fixed in 1.2.8p26, but I failed to see if it was introduced *after* 1.2.8p14-1. But I will try to handle that in a seprate bug. I tried to git clone the git repository mentioned at http://git.mathias-kettner.de/check_mk.git but that just does not work for me. > > I will ask upstream if they intend to fix #4757 in the 1.2.8 series. > Unfortunately due to how the upstream tarball/build works, it is tricky to > patch upstream files. If upstream doesn't intend to include this fix I can > generate a patch to make it work. Ok thanks. > I had started working on packaging 1.4.0 as a way to fix these security bugs > (and even did an upload to experimental) but I recently learned from > upstream that: > > "The use of Check_MK without OMD environment and customization of paths is > explicitly not supported anymore." > > ie you can't use check-mk stand-alone, you have to use OMD (and > livestatus/WATO/multisite, the whole stack) and you have to use upstream's > installer to upstream's paths. It's very much the "network appliance" model > (or flatpak, docker image, etc) > I don't know if we'll be able to make this work in Debian. (not to mention > that nagios is gone and icinga1 will go away at some point) Hmm, that sounds bad. I guess if that turns out to be true, then would better alternative to drop check-mk completely from the Debian archive? I mean specifically, for the buster release cycle, if 1.2.8 based series should be included then still. > That prompted me to go back to 1.2.8 and package the latest release there in > order to at least have something working without the security bugs. Ok. I'm not too familiar with check-mk itself, I only worked on it from tracking security fixes point of view. Can you say something, on how long are the 1.2.8 series planned to be supported upstream? Regards, Salvatore

